The Short-lived Fallacy of Biometrics

When MasterCard introduced last year in twelve countries a feature identifying the payor via fingerprint scanner or selfie, it took one further step toward abandoning the immensely flawed concept of chosen passwords and PINs. Considering the deplorable state of imaginative solutions – the globally dominant password being 123456 and the most-used PIN being 1234 – the move seemed long overdue. Another contribution to security breakdowns is the mushrooming number of “different” password requirements no one can seriously be expected to remember, particularly in combination with a multitude of user names and ever-simplified “forgot password” functions.

HSBC has additionally enabled identification via voice recognition software that verifies some 100 unique speech characteristics such as speed, vocal traction, nasal tones and enough others that are said to work even when the user suffers from a cold. Wells Fargo and also a range of other banks enabled log-in via retina scan. Canadian start-up Nymi authenticates individuals through their pulse taken by a wearable prototype interacting with near field communication terminals.

While banks and fintechs may be right in concluding that this increases safety beyond passwords, there is no question that biometrics will inaugurate just another round in the perpetual arms race between security and illegitimate access.

Its limitations are increasingly obvious.

At the 2014 Chaos Communication Congress, hacker Starbug a.k.a. Jan Krissler showed how a picture taken with a single lens reflex camera of German minister of defense Ursula von der Leyen from a distance of three meters sufficed to reproduce her thumb print with Verifinger, a graphics software tool.

Research at Michigan State University developed a simple method to print pictures of fingerprints on a pedestrian printer with a resolution sufficient to fool fingerprint readers, unlocking smartphones and completing transactions via Apple Pay.

The ACLU has showed that selfie scans heavily depend on lighting conditions and may be influenced by changes in hairdo, ageing or weight changes.

Background noises and recording issues may interfere with identification by voice recognition.

When hackers accessed 40,000 accounts at British Tesco Bank and withdrew funds from 9,000 accounts, the monetary loss of £2.5 million was the least of it and highlighted the consequences of compromised biometric databases: while one may change passwords with a minimum of fuss, not quite the same can be said for getting a new fingerprint or face – here, the method of identification is compromised, potentially permanently. Turns out that biometrics may be worse than passwords - and hackers are still notoriously at least one step ahead of the game.